12. Implementing SCEP on a Cisco Device

Cisco literally invented SCEP, so it’s no surprise that devices such as their ASA security appliances support it. However, as with other devices, SCEP is not simple to set up on Cisco hardware.

Before we get into this, I’ll throw out a caveat: Stop right now if you are not familiar with the Cisco Internetwork Operating System (IOS, as opposed to iOS), configuring Cisco devices, and SSL. As tricky as it can be to set up SCEP on other platforms, making a mistake with a network appliance can ruin your entire day or year. Make sure you have good backups of your running configuration, and don’t commit any changes until you’ve tested them.

Taking the Initial Steps

The only real documentation I could find on implementing SCEP on Cisco devices was on the Cisco website. So, yeah, it was not written for “normals” at all. I know that some people are using Cisco devices for SCEP, but getting any real-world information from them proved effectively impossible (not because they didn’t want to provide it, but because they weren’t sure if they could tell me how to do so without giving away details they didn’t want given away). Even according to my Cisco rep, the online documentation I used for this chapter was all they had, and it was based on a device in a clean, lab setup, not the real world. So, here’s another plea to anyone reading this: If you can come up with a reliable, repeatable way to set up SCEP that can be explained to people who aren’t Cisco-certified, publish it on a website somewhere. You’ll be a hero.

For this chapter, we’re assuming that you’re using a Cisco ASA 5500 series security appliance running Cisco IOS 8.x. You’ll also need the Cisco AnyConnect VPN version 2.4 or later. (The AnyConnect VPN client for iOS is available from the App Store.)

Here’s a very high-level overview of how SCEP works with Cisco devices:

1. A device with the AnyConnect client connects to an ASA that has a group policy and an XML connection profile set up for SCEP. The device connection has to fail the initial attempt at certificate authentication (because if it doesn’t, it doesn’t need the cert, and the whole SCEP process never happens). So, the device should not have a valid connection certificate installed on it. Also, if someone successfully logs in to the correct group associated with the policy et al, enrollment will be automatic.

2. The device sends a request for a certificate with parameters that are defined in the XML profile attached to the policy.

3. The CA on the device automatically denies or approves the request.

4. The device downloads the certificate via SCEP.

In this scenario, you’re using the ASA only for the certificate setup. You’ll want to configure a different web server to perform the actual profile install.

The AnyConnect SCEP Settings

The AnyConnect VPN uses XML-based settings profiles to configure the client. To configure SCEP, you’ll need to add a few specific elements to the connection profile:

• <AutomaticSCEPHost>: This is the fully-qualified DNS name of the ASA or the IP address of the ASA. This also includes the name of the connection profile/tunnel group that is configured for SCEP enrollment, for example:

<AutomaticSCEPHost> asa.bynkii.com/ios_scep </AutomaticSCEPHost>

• <CAURL>: This identifies the SCEP CA server and contains the challenge password setting, along with the thumbprint (MD5 or SHA1 hash) of the CA cert:

<CAURL PromptForChallengePW="true" Thumbprint="245F2342D14D22345245A1234523C2234567">http://ca.bynkii.com</CAURL>

• <CertificateSCEP>: This defines how the contents of the certificate are requested. This block contains several elements, as in this example:

<CertificateSCEP>
    <CADomain>bynkii.com</CADomain>
    <Name_CN>%USER%</Name_CN>
    <Department_OU>Curmudgeonry</Department_OU>
    <Company_O>Misanthropic Yoyodyne</Company_O>
    <State_ST>FL</State_ST>
    <Country_C>US</Country_C>
    <Email_EA>%USER%@bynkii.com</Email_EA>
    <Domain_DC>bynkii.com</Domain_DC>
    <DisplayGetCertButton>false</DisplayGetCertButton>
</CertificateSCEP>

The elements within the block are pretty simple to dope out. CADomain is the domain of the certificate authority (CA), in this example, bynkii.com. Name_CN, or Common Name, is the user name. By using the %USER% variable, the username used when logging into the ASA is automatically applied here.

Department_OU is the user’s department. Company_O is the company name, State_ST is the state, Country_C is the country. Email_EA is the user’s email address, and again we use %USER% substitution to simplify things for the user. Domain_DC is the domain component, which is also bynkii.com in this case. Since we don’t want the manual Get Certificate button displayed, we set that to false.

If we put this all together in a client profile, the SCEP section would look like:

<CertificateEnrollment>
    <AutomaticSCEPHost>asa.bynkii.com/ios_scep</AutomaticSCEPHost>
    <CAURL PromptForChallengePW="false" Thumbprint="245F2342D14D22345245A1234523C2234567" >
        http://ca.bynkii.com
    </CAURL>
    <CertificateSCEP>
        <Department_OU>Curmudgeonry</Department_OU>
        <Company_O>Misanthropic Yoyodyne</Company_O>
        <State_ST>FL</State_ST>
        <Country_C>US</Country_C>
        <Email_EA>%USER%@bynkii.com</Email_EA>
        <Domain_DC>bynkii.com</Domain_DC>
        <DisplayGetCertButton>false</DisplayGetCertButton>
    </CertificateSCEP>
</CertificateEnrollment>

The full profile is fairly huge, and not particularly germane to this chapter. If you need that level of help with your ASA, I highly recommend contacting your Cisco rep or a Cisco consultant.

Configuring the ASA

So far, we have our XML file set. Now the task is to get it onto the ASA.

First, you need to have the connection group and the policy that the XML profile will be attached to. You’ll then want to create an alias on your ASA that points to that group, and put that alias in the <AutomaticSCEPHost> section of the XML file.

Configure the connection group so that the XML profile you’re going to upload to the ASA is attached to that group.

Finally, set up appropriate access controls for the group.

Then go to the SSL VPN Client settings and upload the XML profile to the device. Next, add a certificate enrollment group policy that uses the SSL VPN Client (such as AnyConnect) as the tunneling protocol. Enable and configure Split Tunneling. In the SSL VPN Client settings, use the XML profile you uploaded as the file in the “Client Profile to Download” settings.

With that done, you’ll need to create certificate authentication settings. Create another group policy for this with the appropriate settings for your setup. (I’m sorry to be so general here, but authentication settings are almost infinite in number, and ASAs offer many ways to handle authentication.)

Next, create a certificate enrollment connection profile. In this profile, make sure that the alias matches the value in the <AutomaticSCEPHost> section of the profile. Also, be sure to match the group policy for this connection profile with the certificate enrollment group policy that you created earlier.

Then, create a certificate authentication connection profile. Make sure the alias and group policy names match the name you set up for the certificate authentication group policy.

Now enable the <AutomaticSCEPHost> alias by going into the AnyConnect Connection Profiles settings on the ASA, and enabling the following login page setting:

Allow user to select connection profile, identified by its alias, on the login page. Otherwise, DefaultWebVPNGroup is the connection profile.

(Yes. That’s the name of the setting. Can you tell Cisco is only good at talking to Cisco people?)

Testing It All

With any luck, all you have left to do is fire up the AnyConnect client on the iOS device, and connect to your ASA. Point the client at the certificate enrollment profile you created, enter the correct username and password, tap Connect, tap Enroll, and bang, done.

If it doesn’t work (and there are numerous places you can go sideways or become completely inverted in this process), call a good consultant or your Cisco rep.

The documentation I used for this chapter is available at www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b25dc1.shtml and at www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect24/administration/guide/ac03features.html.

Wrapping Up

Be aware that Cisco has gotten better about supporting multiple platforms in recent years, but they still really assume that everyone uses Windows. However, that’s what makes this so much fun. (Want even more fun? The OS on the ASA is called IOS, which is not iOS, the OS on the iPhone/iPad/iPod Touch. With that in mind, search Cisco’s support documentation for “iOS.” Wheee! You get a hit for everything! Wheeee! Are we having fun yet?)

By now, I think we’ve had enough of SCEP to last us . . . well, a very long time. Next up, we’ll move on to the very, very cool thing that is Mobile Device Management, and managing iOS devices the way we really, really want to.